3 vulnerabilities in the IP video-surveillance systems created by Axis Communications could allow arbitrary code execution, among other attacks.
That’s according to Nozomi Networks Labs, whose researchers examined the company’s Axis Companion Recorder, a compact network video recorder (NVR) that stores IP surveillance video coming from attached cameras (it can support up to 8 at one time).
3 Bugs
They found that the 3 bugs (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988) turn out to affect all Axis devices that run the company’s embedded Axis OS.
The bugs are as follows:
- Heap-based buffer overflow (CVE-2021-31986, CVSSv3 rating of 6.7)
- Improper recipient validation in network test functionalities (CVE-2021-31987, CVSSv3 rating of 4.1)
- SMTP header injection in email test functionality (CVE-2021-31988, CVSSv3 rating of 5.5)
Malicious Link
“All attacks require that a victim, while logged into the device, visits a specifically crafted webpage or clicks on a malicious link,” Nozomi researchers explained.
“There are several ways this could happen (phishing, watering holes, etc.) which we do not delve into in this analysis. But it does not take a great deal of expertise, as some of these attacks are well-known types of attacks.”
CVE-2021-31986: Heap-based Buffer Overflow
The 1st vulnerability is in the read call-back function, according to Nozomi, which is called by the “libcurl” function to read data in order to upload or post data to a server or peer.
“Notably, the read call-back function was noticed failing to verify that no more than ‘size’ multiplied by ‘nitems’ number of bytes are copied in the libcurl destination buffer (on our device, 64 KB),” according to information, posted on Tues.
“Among the copied bytes, the read call-back function copies in the libcurl destination buffer the ‘to,’ ‘from,’ ‘subject’ & ‘body’ HTTP parameters of the request to the endpoint.”
This request is normally a GET request that’s limited to less than 10,000 characters: too few to trigger the overflow. However, researchers discovered that they could also send POST requests to the endpoint, which are not restricted by any limit at all.
Cross-Site Request Forgery
In addition, the requests don’t have any protections against cross-site request forgery (CSRF) attacks, researchers added, which opens the way for exploitation without authentication.
As a result, an external remote attacker with a successful social-engineering approach is able to trigger memory corruption on the device & possibly execute arbitrary code.
“The 1st vulnerability relies on a user downloading malicious code to the Axis recorder by just visiting a specifically crafted page while logged in to the Companion application,” Nozomi researchers outlined.
“This could open a range of attacks, such as taking over the camera operations, offloading data, or operating other malicious software against the network.”
CVE-2021-31987: Improper Recipient Validation
The other 2 vulnerabilities rely on test features in the Axis OS that are used for network communication using the standard protocols HTTP, SMTP & TCP.
The 2nd vulnerability specifically arises because of failings in certain blocklist-based security checks, which are used to make sure that HTTP, email & TCP recipients can’t access adjacent network services that are exposed via a local web server.
Known Bypasses
These “blocklist-based security checks to impede interactions with localhost-exposed network services…could be circumvented with known bypasses or were incomplete,” according to the writeup. “We confirmed the feasibility of sending requests to localhost-exposed services.”
To exploit the bug, a user need only click on a malicious link or again visit a specific webpage while logged in. An external remote attacker can then interact with internal-only services running on the device, obtaining access to restricted information, researchers detailed.
Localhost
“Once you can access network services on the localhost, you are directly interacting with internal software that, as such, was not designed to be robust & secure in the same way as an externally reachable one,” they observed.
“Many things could be possible, from the immediate unauthorised access of confidential internal information to the execution of exploits against internal unprotected services, to further compromising the system.”
How this would manifest to the company being attacked could vary depending on the attacker’s intent, they added: “There are a range of possibilities & threats.”
CVE-2021-31988: SMTP Header Injection
The 3rd vulnerability allows SMTP header injection within emails & messaging, thanks to an absence of input validation functions, according to Nozomi.
“As with many other network video recorders, Axis products allow users to set up notifications in case of events, such as motion detection or system malfunctioning,” Nozomi researchers explained.
“Although simple features, if not adequately protected they also can be used to gain access to the device.”
SMTP Header Injection
SMTP header injection allows attackers to inject additional headers with arbitrary values into emails, through which they could send copies of emails to 3rd parties, spread malware, deliver phishing attacks, alter the content of emails, disclose information & more.
In this case, the issue is located in the SMTP test functionality, the firm noted.
“Again, by convincing a victim-user to visit a specifically crafted web page while logged into the Companion Recorder web application, an external remote attacker can trick the device into sending malicious emails to other users with arbitrary SMTP header values,” researchers explained.
IoT Insecurity
Connected camera ecosystems & other internet-of-things gear are often in the crosshairs of both vulnerability hunters & attackers.
The flaws are endemic & tend to have widespread affects: In June, for instance, Nozomi researchers found that millions of connected security & home cameras contained a critical software vulnerability that can allow remote attackers to tap into video feeds.
Original Equipment
The critical bug had been introduced via a supply-chain component from Through Tek that’s used by several original equipment manufacturers (OEMs) of security cameras – along with makers of IoT devices like baby & pet-monitoring cameras & robotic & battery devices.
The 1st half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal data, mine cryptocurrency or build botnets. That represented a more than 100% growth in IoT cyberattacks, according to a Kaspersky analysis of its telemetry.
The best way to stay protected is to patch.
Protect Yourself from Axis Attacks
Axis is in the process of releasing patches for all affected devices, it stated, which could add up to millions of vulnerable endpoints, given Axis’ role as a market leader. The updates are as follows:
CVE-2021-31986 and CVE-2021-31988:
- AXIS OS Active track 10.7
- AXIS OS 2016 LTS track 6.50.5.5
- AXIS OS 2018 LTS track 8.40.4.3
- AXIS OS 2020 LTS track 9.80.3.5
CVE-2021-31987:
- AXIS OS Active track 10.8
- AXIS OS 2016 LTS track 6.50.5.5
- AXIS OS 2018 LTS track 8.40.4.3
- AXIS OS 2020 LTS track 9.80.3.5
“Axis devices not included in these tracks & still under support will receive a patch according to their planned maintenance & release schedule,” the analysis concluded.